Export limit exceeded: 348055 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (45713 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-56276 | 1 Carmelo | 1 Food Ordering Review System | 2025-09-18 | 5.4 Medium |
| code-projects Food Ordering Review System 1.0 is vulnerable to Cross Site Scripting (XSS) in the registration function. An attacker enters malicious JavaScript code as a username, which triggers the XSS vulnerability when the admin views user information, resulting in the disclosure of the admin's cookie information. | ||||
| CVE-2025-56697 | 1 Askar634 | 1 Computer Base Test | 2025-09-18 | 6.1 Medium |
| A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the /users/adminpanel/admin/home.php?page=feedbacks file of Kashipara Computer Base Test v1.0. Attackers can inject malicious scripts via the smyFeedbacks POST parameter in /users/home.php. | ||||
| CVE-2025-57117 | 1 Remyandrade | 1 Employee Management System | 2025-09-18 | 5.4 Medium |
| A Clickjacking vulnerability exists in Rems' Employee Management System 1.0. This flaw allows remote attackers to execute arbitrary JavaScript on the department.php page by injecting a malicious payload into the Department Name field under Add Department. | ||||
| CVE-2024-29154 | 1 Danielmiessler | 1 Fabric | 2025-09-18 | 7.4 High |
| danielmiessler fabric through 1.3.0 allows installer/client/gui/static/js/index.js XSS because of innerHTML mishandling, such as in htmlToPlainText. | ||||
| CVE-2024-28434 | 1 Twenty | 1 Twenty | 2025-09-18 | 7.6 High |
| The CRM platform Twenty is vulnerable to stored cross site scripting via file upload in version 0.3.0. A crafted svg file can trigger the execution of the javascript code. | ||||
| CVE-2025-33008 | 1 Ibm | 2 Sterling B2b Integrator, Sterling File Gateway | 2025-09-18 | 5.4 Medium |
| IBM Sterling B2B Integrator 6.2.1.0 and IBM Sterling File Gateway 6.2.1.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | ||||
| CVE-2024-28157 | 1 Jenkins | 1 Gitbucket | 2025-09-18 | 8.0 High |
| Jenkins GitBucket Plugin 0.8 and earlier does not sanitize Gitbucket URLs on build views, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure jobs. | ||||
| CVE-2025-9656 | 1 Phpgurukul | 1 Directory Management System | 2025-09-18 | 4.3 Medium |
| A security vulnerability has been detected in PHPGurukul Directory Management System 2.0. This vulnerability affects unknown code of the file /admin/add-directory.php. The manipulation of the argument fullname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2025-59035 | 1 Cern | 1 Indico | 2025-09-17 | 4.6 Medium |
| Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Prior to version 3.3.8, there is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Users should to update to Indico 3.3.8 as soon as possible. As a workaround, only let trustworthy users create content on Indico. Note that a conference doing a Call for Abstracts actively invites external speakers (who the organizers may not know and thus cannot fully trust) to submit content, hence the need to update to a a fixed version ASAP in particular when using such workflows. | ||||
| CVE-2024-26542 | 1 Bonitasoft | 1 Bonita Web | 2025-09-17 | 6.1 Medium |
| Cross Site Scripting vulnerability in Bonitasoft, S.A v.7.14. and fixed in v.9.0.2, 8.0.3, 7.15.7, 7.14.8 allows attackers to execute arbitrary code via a crafted payload to the Groups Display name field. | ||||
| CVE-2025-57540 | 1 Proxmox | 1 Virtual Environment | 2025-09-17 | 5.4 Medium |
| A stored cross-site scripting (XSS) vulnerability exists in the WebAuthn Relying Party field within the Datacenter configuration of Proxmox Virtual Environment (PVE) 8.4. Authenticated users can inject JavaScript code that is later executed in the browsers of users who view the configuration page, enabling client-side attacks. | ||||
| CVE-2025-5806 | 1 Jenkins | 1 Gatling | 2025-09-17 | 8 High |
| Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content. | ||||
| CVE-2025-32027 | 1 Yiiframework | 1 Yii | 2025-09-17 | 6.1 Medium |
| Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher. | ||||
| CVE-2025-32391 | 1 Hedgedoc | 1 Hedgedoc | 2025-09-17 | 6.4 Medium |
| HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.3, a malicious SVG file uploaded to HedgeDoc results in the possibility of XSS when opened in a new tab instead of the editor itself. The XSS is possible by exploiting the JSONP capabilities of GitHub Gist embeddings. Only instances with the local filesystem upload backend or special configurations, where the uploads are served from the same domain as HedgeDoc, are vulnerable. This vulnerability is fixed in 1.10.3. When upgrading to HedgeDoc 1.10.3 is not possible, instance owners could add the following headers for all routes under /uploads as a first-countermeasure: Content-Disposition: attachment and Content-Security-Policy: default-src 'none'. Additionally, the external URLs in the script-src attribute of the Content-Security-Policy header should be removed. | ||||
| CVE-2025-52036 | 1 Exe-system | 1 Notescms | 2025-09-17 | 6.1 Medium |
| A vulnerability has been found in NotesCMS and classified as medium. Affected by this vulnerability is the page /index.php?route=categories. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 (dated 2024-05-08), and was fixed in commit 95322c5121dbd7070f3bd54f2848079654a0a8ea (dated 2025-03-31). The attack can be launched remotely. CWE Definition of the Vulnerability: CWE-79. | ||||
| CVE-2025-52035 | 2 Exe-system, Notescms Project | 2 Notescms, Notescms | 2025-09-17 | 6.1 Medium |
| A vulnerability in NotesCMS and specifically in the page /index.php?route=notes. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 (dated 2024-05-08) and was fixed in commit 95322c5121dbd7070f3bd54f2848079654a0a8ea (dated 2025-03-31). The attack can be launched remotely. | ||||
| CVE-2025-58452 | 1 Wegia | 1 Wegia | 2025-09-17 | 6.1 Medium |
| WeGIA is a Web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the listar_despachos.php endpoint of the WeGIA application prior to version 3.4.11. This vulnerability allows attackers to inject malicious scripts in the id_memorando parameter. Version 3.4.11 contains a patch. | ||||
| CVE-2025-52037 | 1 Exe-system | 1 Notescms | 2025-09-17 | 6.1 Medium |
| A vulnerability has been found in NotesCMS and classified as medium. Affected by this vulnerability is the page /index.php?route=sites. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 (dated 2024-05-08), and was fixed in commit 95322c5121dbd7070f3bd54f2848079654a0a8ea (dated 2025-03-31). The attack can be launched remotely. CWE Definition of the Vulnerability: CWE-79. | ||||
| CVE-2025-8661 | 1 Broadcom | 1 Symantec Pgp Encryption | 2025-09-16 | 6.1 Medium |
| A stored Cross-Site Scripting vulnerability (XSS) occurs when the server does not properly validate or encode the data entered by the user. | ||||
| CVE-2025-57520 | 1 Techhub.p-m | 1 Decap Cms | 2025-09-16 | 6.1 Medium |
| A Cross Site Scripting (XSS) vulnerability exists in Decap CMS thru 3.8.3. Input fields such as body, tags, title, and description are not properly sanitized before being rendered in the content preview pane. This enables an attacker to inject arbitrary JavaScript which executes whenever a user views the preview panel. The vulnerability affects multiple input vectors and does not require user interaction beyond viewing the affected content. | ||||